Re: Start_TLS fails (perl-ldap-0.24)

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Jim Dutton <ji...@du...> wrote:
> I have been successful with LDAPS, though the documentation needs to be
> updated, but have not been able to get LDAP-startTLS to work:
> =
> ../test_tls_<remote host>
> $VAR1 =3D bless( {
>                  'net_ldap_async' =3D> 0,
>                  'net_ldap_resp' =3D> {},
>                  'net_ldap_debug' =3D> 1,
>                  'net_ldap_host' =3D> '<remote host>',
>                  'net_ldap_version' =3D> 3,
>                  'net_ldap_socket' =3D> bless( \*Symbol::GEN0,
> 'IO::Socket::INET' )                }, 'Net::LDAP' );
> Net::LDAP=3DHASH(0x805a084) sending:
> =
> 30 1D 02 01 01 77 18 80 16 31 2E 33 2E 36 2E 31 0....w...1.3.6.1
> 2E 34 2E 31 2E 31 34 36 36 2E 32 30 30 33 37 __ .4.1.1466.20037
> =
> $VAR1 =3D bless( {
>                  'callback' =3D> undef,
>                  'parent' =3D> bless( {
>                                       'net_ldap_async' =3D> 0,
>                                       'net_ldap_resp' =3D> {},
>                                       'net_ldap_mesg' =3D> {
>                                                            '1' =3D> $VAR1
>                                                          },
>                                       'net_ldap_debug' =3D> 1,
>                                       'net_ldap_host' =3D> '<remote =
host>',
>                                       'net_ldap_version' =3D> 3,
>                                       'net_ldap_socket' =3D> bless(
> \*Symbol::GEN0, 'IO::Socket::INET' )
> }, 'Net::LDAP' ),
>                  'mesgid' =3D> 1,
>                  'errorMessage' =3D> 'I/O Error
> 494f3a3a536f636b65743a3a494e45543d474c4f422830783833313764613429',
> 'resultCode' =3D> '1',
>                  'pdu' =3D> '0|a``ww=80u1.3.6.1.4.1.1466.20037'
>                }, 'Net::LDAP::Extension' );
> =
> =
> =
> =
> openssl s_server -cert slapd.ssl.certificate -key slapd.ssl.key
>  -CAfile /var/OpenSSL_CA/cacert.pem -debug -state -accept 637
>  -tls1 -bugs -hack
> Using default temp DH parameters
> Enter PEM pass phrase:
> ACCEPT
> SSL_accept:before/accept initialization
> read from 0015B270 [00165190] (5 bytes =3D> 5 (0x5))
> 0000 - 30 1d 02 01 01                                    0....
> SSL_accept:error in SSLv3 read client hello B
> ERROR
> 11599:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
> number:s3_pkt.c:290: shutting down SSL
> CONNECTION CLOSED
> ACCEPT

We may need to set SSL_version to 'tlsv1' in the start_tls method - TLS is
*not* exactly the same as SSL, after all. If you step through start_tls,
can you tweak that after the call to Net::LDAPS::SSL_context_init_args?

Cheers,

Chris